he is a sysadmin that refused to disclose passwords to an office which had the prudence to disclose ALL of those LIVE passwords and usernames as evidence in a public court... exposing personal information of millions of citizens in public databases...

i doubt that randomly selected array of 20-30 americans would be able to understand how insanely stupid this is.

The prosecutor said, "If I can show he did not stop after the officer indicated he should stop, will you convict him of fleeing arrest."

After just a couple questions by the jury it became very clear that the person in question may have driven a short distance, probably did not speed away, and may have not been aware the officer was trying to pull him over.

But, i'm sure the folks they selected on the panel would take the position, "Well-- its the LAW, he was told to stop and took 1000' instead of 100' to pull over so we convict him of a felony!"

For all the people who rail against the police, on the jury panel's i've been on, a lot of folks seem really ready to do what the prosecutor says and screw the hell out of their fellow human beings.

Jury nullification is the only way to go. just never admit that you believe in it. Just say, "I'm not convinced" if you think the law is unjust.

I can't believe they convicted him of a felony for this. I hope each of them is convicted of a similarly stupid law so they get justice. (and their are plenty of stupid laws on the books and increasingly facist ones).

The jury deliberated for several days before a lone holdout against conviction was removed from the panel, for reasons that were not disclosed. After an alternate was put in that juror's place, the panel started over and reached a decision in a matter of hours.

Allow me to elucidate this for you. I won't give the full details, but essentially this juror went into deliberations, had already made up his mind, informed the rest of the jurors that he had thought about the matter on his own and made up his mind, and didn't want to hear anything more about it. This is before we even went through all the questions we were required to examine per the jury instructions! Furthermore, he would not explain his position to the other eleven jurors.

He was not released for "having his own opinion" or being "a lone holdout". In fact, we welcomed a lively debate from both sides of the argument as that's a necessary part of jury deliberations. He was dismissed for other reasons, including outright refusal to follow the jury instructions and the law as provided to us by the judge.

He was dismissed for other reasons, including outright refusal to follow the jury instructions and the law as provided to us by the judge.

A citizen is not required to follow the law. It's called Jury Nullification. On the other hand, not explaining yourself isn't going to work. You pretty much have to know why you think what you think.

On the other hand, we just have to believe whatever you say, and I'm not willing to do that. This is why no court proceedings should ever be secret. We cannot judge the efficacy of our legal system in that manner. We need to know precisely what happened in the jury chamber to know if this juror should have been removed, or not. The only thing we in fact do not need to know is how each juror voted.

Yes, I was on the jury (see my post further on down). An essential part of jury deliberations is keeping an open mind, explaining your thoughts and opinions, and listening to the opinions of others. This was not the case here. I really won't go into the details on the matter as to not reveal personal information or background on the juror, but not only did he not do those items above, he also refused to follow the jury instructions and the legal definitions as provided by the judge that we had to use in our determination of the facts.

While you are allowed to look at testimony differently and debate that, you can't decide that a legal definition as provided by the judge is something you don't agree with and therefore won't follow. Essentially, you're supposed to follow the facts and then come to a conclusion. The problem here was that one person had a conclusion beforehand, and wanted to change the facts to fit it. It just doesn't work that way.

I am that network engineer that was on the jury (see long post further down).. His manager was an idiot, but I have worked for worse, including one that was put on medical leave for psychiatric issues after people learned he was bringing a gun to the office. I understand what it's like to work in a situation like that. However, if I am brought into an office with my manager's manager, an HR representative, and two police officers, and asked to provide access (important keyword -- access!, not my personal password), you can bet I would feel the situation unfair but I would provide that access.

The law he violated was CA Penal Code 502. That code deals with denial of computer service. He was the only person with access to a large and critical computer network. He was being reassigned and would no longer be working on that network. Obviously, you cannot have a network with no administrator(s) to manage or maintain it. He refused to provide access to that network. Not just simply refusing to tell his passwords, but refusing to provide access at all, even configuration backups. Furthermore, he configured the network in a manner which prevented any attempts to access it or reset the passwords, and in a few scenarios those attempts would have even brought the network down.

There were no formally adopted policies for computer or network security. Even then, there are common sense guidelines in the IT industry about sharing your password. But what common sense guideline is there that if you are assigned off of a project, you should then lock out the ability of anybody else to administer it?

I'll try to answer all the questions you presented. Yes, the relevant part of the law we convicted on was 502(c)(5). We were not even presented with the other portions of the penal code listed above. Specifically, he denied computer service to an authorized user without permission. The specific act here was not providing access to the FiberWAN routers and switches upon the request of the city's COO. For the permission part, he did not have any permission from anyone to not provide that access. We looked through the evidence for anything that would indicate that he had permission to deny access to an authorized user, but there was no such evidence. There was evidence, however, that it was part of his job duties to provide that access to authorized users.

"Computer services" is one of several terms with which we were provided specific, legal definitions which we were to follow. The computer service in question which he denied access to was the management and maintenance of the FiberWAN routers and switches themselves. Authorized users was one of the harder points to distinguish in this matter because there really was no formalized process to authorize or deauthorize users. However, we came to the conclusion that he knew that the person asking for access was authorized to obtain that access. This was made evident by many of the emails we had in evidence. Further, at this point, he had not been fired, but did know that he was being reassigned. Also, if they had not been authorized users, but he had given the passwords, he would not be guilty of the other sections because his actions would then have been both permitted, and within the scope of his employment because he was following the directives of his superiors. The fact that he eventually did relinquish the passwords to the mayor, I think, shows a continuation of past behavior in which if he didn't get what he liked he would simply go to the next higher person in the chain.

His actions were definitely not within the scope of his employment. We examined his job description, performance review, and many other documents to determine this. In fact, we determined that one of the main aspects of his employment was to maintain the stability and resiliency of the network he supported, and his actions actually were doing the exact opposite. Configuring a network to have no console access, to have the core routers come back from a power failure with no configuration, hiding the backups in locations unknown and encrypted -- these are all things that seem to go against what he was supposed to be doing in his work assignment.

There was a central password database (TACACS) in this case, that could have definitely been used here, but that really didn't play a large role in the deliberations.

I think the law fits this situation. I don't think anyone had really thought ahead that this type of situation would come up when it was written, but it certainly does fit. We were beyond a reasonable doubt. We actually brought that up many times as we wanted to make sure of that, and we many times did search through evidence and found things that did reinforce that.

Terry Childs was treated far worse in this matter than he should have. Personally, I think once he gave up access to the mayor, they should have dropped the charges, and at worst charged him with some sort of misdemeanor. From what I understand after the case, the bail was set so high because they were afraid if he was not in jail, he would have some sort of hidden access to the FiberWAN and would do something to damage it. However, I don't see why that bail couldn't have been reduced after the access was provided and other engineers cleaned everything up and made sure it was safe. The money that the city spent was actually spent before access was given to the mayor. This money was spent on recovery efforts by Cisco and other in reasonable efforts to regain access to the devices.

I know it seems like a clear cut case of office politics, and that's what I thought too before

As stupid as it is, its the law. He has an obligation to follow the law, not a moral technical compass. If there is a problem with the law then it needs to be changed not broken. You are your technical vigilantes need to be stopped from taking technology into your own hands.

How exactly was he breaking the law? As I understand it, the whole issue wasn't that he tampered with anything. Instead, he refused to disclose the passwords when the person requesting them did not follow proper protocols.

According to everything I have read he refused to hand over the password under any circumstance when his supervisors asked for them. There was no "only give to the mayor" rule. He was a regular employee working a regular job where he has the obligation to hand over information requested by his supervisor. After he was arrested and placed in custody is when he stated that he would only give the password to the mayor, not becuase it was a rule or directive but becuase Mayor Newsom was "the only person he felt he could trust". There was no rule about handing passwords over, he felt "None of the persons who requested the password information from Mr. Childs... were qualified to have it," according to his lawyer. It was his opinion, nothing else.

Why Did He Refuse?
Terry Child built this network. It was his baby and he owned it. He was the only person with access and was on call 24/7/365 and the only person familiar enough with it to work on it. He loved it so much that he applied and was granted a copyright for the network design as technical artistry. His department was going through a series of downsizes and his supervisor began to audit his work, which previously he had free reign in. He got spooked and started snooping on his bosses, which spooked his bosses and it all lead to a stand off.

What the law says is that your user level password should not be disclosed. This was not a user level password. The law says "All production system-level passwords must be part of the security administered global password management database." He should not be the only person with access to the network. That is why he was asked for the password and should have handed it over. It was not his user level password, but a password to access the network that he built.

He should have just given up the passwords. They weren't his computer systems. He was just an employee. I don't care what anyone here says. Let's say you have a work truck that your employer provides. You are to take the keys in the morning and leave them back when you leave. Do you just go home with the keys in your pocket? I mean none of this makes any sense to me. If he wasn't accessing the network anymore, why would he need the passwords? It certainly didn't benefit him to withhold them. I think he was just blindly obsessed, stupid, or an ignorant prick. The punishment is harsh, and really doesn't fit the crime, but by holding the passwords hostage he had essentially owned the network which certainly caused a lot of headaches for his previous employers. In any organization that large it is utterly foolish to leave all of the keys in one person's hands. What if they die? Go batshit crazy? We are not just talking about a couple of rackmounts in a closet here. Wasn't it a city wide network or something? That was tax payer funded? He may have felt that nobody was capable of running "his" network, but since he was no longer employed there, it really wasn't his place to be concerned with their future. I don't know if what he did warrants a felony charge, but it was certainly unjust. Maybe he felt that he owed his previous employers nothing, but when they haul your ass into court you might as well at least give them what they want, and they certainly didn't ask for much. Its never a good idea to plot against your keepers. Don't bite the hand that feeds you. At least in America you can always leave and fall back to aggravated robbery. We see how well that plan worked out for him in the past.

Terry Childs is a moron if you ask me, and his foolish stubbornness will now tragically cost him some time away from pursuing a happy life. He chose to make himself look like the bad guy, even though his justification was for "good" reasons. I understand that giving the passwords away in a court of law would probably be a bad idea, but it should have never have gotten to that point. He should have certainly just met up with his boss and divulged all that he knew. That's common courtesy. Even if you don't like your employer, they still gave you a job and a paycheck. Sure you can leave, but its always best to do so on good terms. In the end its always wiser to be the better man and just walk away with a clean slate. If Terry Childs would have done that, he'd be a free man who could choose his own destiny and probably even find a halfway decent job. Now he's just another convict with multiple felonies that will have a hard time finding a job when he walks free.

We are not talking about passwords to his email, his domain account, his laptop,etc. We are talking about THE password (there is only ONE) to Cisco IOS routers and switches.
It is the equivalent of root passwords that don't belong to any single person.

That being said, I still think his prosecution is essentially the city behaving like a 5 year old child. The city's CTO should be sacked ASAP for such a huge failure of management: no documentation, no back ups of running configs, no cross-training among personnel so there wouldn't be a single person responsible, etc.etc. No large company runs like that.

that being said....dunno...this sets a bad precedence for sysadmins/IT ppl....as this basically be also interpreted as "if you secure your network from novices who may break the network, you might be guilty of a crime"

If your boss demands the password, give it to them. Send them a letter along with the passwords saying that you are doing it under protest if you want, warn them of the dangers, whatever, but don't be idiotic. So they screw up and the network goes down, big deal, it's a freaking network not the entirety of modern civilization. Some sysadmins have waaay too high an opinion of the importance of their computer systems.

I know absolutely nothing about the San Francisco network. But I find it interesting that Childs said, "These idiots can't be trusted with the passwords," and the second the idiots got the passwords, they published them for the world to see.

Sure enough, those idiots should not have been trusted with the passwords. Hard to fault a guy when they immediately proved him right.:-)

By the way, since this is a municipal system, here are some of the functions I've seen municipal systems handle:

1. 911 calls over VoIP.2. Fire dispatch, as in "Building on fire here"3. Police dispatch, as in "Crazy guy with gun over here."4. Police data, as in "The license plate you just pulled over is driven by a violent felon."5. Videoconferencing that connects lawyers to their clients6. Utility billing/disconnect, as in "These people need their water/power/garbage cut off."

I could go on and on.

Wanna see your basic "evil hacker" movie play out in real life? You couldn't take over the world, but you could make some people miserable. Maybe even get a few of them killed when help doesn't arrive when it should...

Not all computer networks are about making sure Sally in accounting gets her email.

I think the problem people have, is that the court should never have been involved at all. Okay... so he's insubordinate and fired. No problem.

AFTER he's fired, they go to him and STILL want him to do part of his job (disclose the passwords). Tough cookies. The deal in employment is "payment received for services rendered". Once he's fired, he is not receiving payment from the city. So he's under no obligation whatsoever to render services.

You can make a case that he was insubordinate and deserved to be fired. But once he *was* fired, he was entirely in the right to tell the city to FOAD. And the court should have told the city to FOAD as well.

I think the lesson to be learned here is to demand legal statements from people that absolve you of responsibility for their stupidity. "You want these passwords? First give me something I can bring to court, so that when you screw up, you cannot try to blame me." The courts have shown that these are the sorts of measures we must take -- not to try to prevent the damage from being done, but to prevent the idiots who cause problems from passing the responsibility off to us.

Is to perhaps not be knee jerk about what "the right thing," is. Don't presume you know better than everyone, don't presume you are the one with whom the buck should stop and so on. You need to be able to look at the bigger picture. While you might think "the right thing," is for you and only you to have access to the systems because you feel you are the only one smart enough to handle it properly, well consider two things:

1) What happens if you are rendered unavailable? You could die, become incapacitated, whatever. What happens then if you are the only one who has the keys to get in? All of a sudden "the right thing" turned in to a rather large disaster.

2) Consider that maybe you aren't as smart as you think you are, or perhaps that everyone else isn't as dumb as you think they are. Perhaps your boss is perfectly capable of having the password as a backup and not using it to cause any trouble. You might not think he's smart enough, but maybe you aren't evaluating the situation fairly.

Also just remember that you job in IT is customer service, even if you never deal with customers. Your job is to help make computers do what people want them to. They are tools to reach some goal, and you are someone who helps that happen. Part of that means doing what your customers (which are usually your coworkers) want. That doesn't mean giving them everything, but it does mean not being a stone wall that just refuses to do something. Work with people, try to persuade rather than intimidate and so on.

Finally, when it comes down to it, they aren't your systems, they are the organization's systems and if they want to fuck it up, that's their thing. Argue against it, document your objections, but if that's what they want, let them do it. It isn't your place to stop it.

It is my understanding his employment was specific in that he would only disclose the password to the mayor alone. This never happened, thus he never disclosed the password. This case did not require any technical knowledge to grasp the facts, so I am unsure how the jury could come to this result.

Actually, you're missing experiencing the whole trial from the jury box. All we've been given here on/. is soundbites of the trial. We don't know all the evidence presented by the prosecution. We don't know all the evidence provided by the defense. All we know are little bits of info given to us by biased sources. Unless one sat in on the whole trial, slandering the jury is inappropriate.

Slandering the jury is totally appropriate. It's part of the system. They made a bad call. They made a ridiculously bad call. They made a howlingly, ridiculously bad call. Morons, one and all.

Part of the loveliness of living in this country is that I now get to stand up and sing out like Monty Python that twelve mouth-breathing baboons -- no offense to the ACTUAL baboons in their red-butted glory, mind you -- twelve pin-headed boot-licking idiots just sent a man to prison for poor social skills.

Of course you are. NDAs can last 5+ years, classified information remains classified for 50+ years, and networking between bosses on the golf course lasts forever. These are utterly unavoidable, which is why I believe corporations and governments should have obligations at least as stringent. It has to be symmetrical, or a damn good approximation. (Which is why I believe unions - if implemented and run correctly and fairly - are also essential. "Employment at will" does not exist in reality. What exists is employment at the employer's whim. You can check out any time you like, but you can never leave - until the boss says so. Irritate the wrong boss, and you'll never work in that town, city, State or Country again, because that's how networking works at the upper levels. This makes it impossible to switch jobs, save by your boss' consent. The system is feudal and peons have no say in feudal systems. Peons will get walked over, and there is nothing they can do to stop it, no matter what "employment at will" rights they think they have.)

The lesson here is to do whatever your boss says, even if it is incredibly stupid and will make your job entirely unmanageable...

Well, I would have to agree that my 'inner security geek', would have had to swallow really hard a few time before stating production passwords over a teleconference with unknown people. Hell, I would expect to be fired just for doing that.

Damned if you do, damned if you don't. Sometime you just have to suck it up and go look for another job. The sad part is that Terry was probably just a conscientous civil servant, and the boss was a know-nothing political appointee. Terry had probably seen more than a few of these appointed ass-hats come and go, and figured this was just another little tempest that would blow over.

If my boss asks me to do something, I generally do it. What if it violates policy? Well, he's more culpable than I am.

That's the thing. That network is more Childs' boss' than it is his... his boss has more responsibility to it. He wants the password, give it to him and document that you did so. When the network comes crashing down, it's more his fault than yours.... and you're not in jail. Hopefully.

A low UID does not make you smart I see. He committed a crime 25 years earlier. I went to prison when I was 17, and am now 41. Time changes folks, and not just prison time. You are a very narrow minded and prejudiced SOB if you are going to hold stuff against people 25 years after they did the crime.

What does his past miconduct, his being a Jerk, or having bad things at home have to do with his treatment of the city network? I don't see the connection. Only being a jerk, in fact... and if he was following the letter of the laws and policies (which discussion here seems to indicate), that should have been OK.

The take-away from this seems to be, if a superior is bullying you for passwords or other information you're contractually obliged to not give them, don't just tell them "No". Rather, tell them, "(Company|City|State|DOD) policy XYZ prevents me from doing this over the phone. I need to either do it in writing, or get a written statement from Q, P, or W that doing so will violate neither my contract nor any applicable laws." This makes it clear you DO want to help them, but with constraints.

Sound like this could have some bad repercussions for IT folks. Of course all I know about the situation is what has been posted on Slashdot. There could be, and usually is, more to the story. Now that the trial is over with will the court records be posted somewhere?

Sound like this could have some bad repercussions for IT folks. Of course all I know about the situation is what has been posted on Slashdot. There could be, and usually is, more to the story. Now that the trial is over with will the court records be posted somewhere?

That's an excellent question. Throughout this entire case I've felt like I was only getting one side of the story. For example, I haven't seen any quotes from the prosecutor. Prosecuting someone for failing to disclose a password is absurd

Ok the real lesson, sorry to say is: if the Feds want you they will have you. There is a reason why 95+% of indictees plead out. How do I know this? I just emerged from a five year fed sentence at a lovely FCI in Ohio.

Without getting too detailed...I was a media consultant for a major media multinational. The Feds did not like that my focus was piracy but I would not divulge IPs, nyms or rat anyone. After some rather appalling disinformation was seeded (see Darknet...an utter load of made up BS) I was accused of damaging a portable toilet (I am not making this up) and faced life for 18 USC 844(i) and 18 USC 924(c). I was forced to plead out to a mandatory minimum of five years, which I just finished. (in fact, I'm still in a halfway house).

The charges and the character assasination were ALL bullshit. But would you have thrown the dice with a jury and risked life? Me neither.

The feds hate geeks, unless we work for them. Be VERY afraid and very careful. I'll get my life back but the past 52 months were not fun.

Know any good federal lawyers? How, exactly do you plan to "shop around" while in a fed lockup? Surely you know there are no computers, right? I hired three that had great reps. They cost six figures and achieved squat. I could have done the whole thing pro se and gotten the same result.

I'm amazed at how arrogant ppl are about this. Unless you've been through it, you have NO idea.

You perfectly illustrate why rolling the dice with a jury of "peers" like yourself is insane. Who cares about evidence, due process, Rules of Criminal Procedure or mens rea? "Shit, I can eliminate reasonable doubt with a 20 line/. post!"

And I'm sure you would have refused a plea and gone to trial looking at a life bid.

Look I had never been arrested before either. Tin foil hat?No, a very costly education. I hope you never have to face one.

Jeez, where to start. Where, exactly did I say I was "tried?" a plea is specifically to avoid trial, n'est ce pas? And no one "pleads guilty at trial" because a trial is a process to determine guilt or non guilt.

So, listen carefully. When a normal person is faced with the likelihood of life when judged by people too stupid to get out of jury duty, or five years as a plea bargain, almost everyone picks the latter, even if not guilty.

As for mens rea, how could I have it if the event never took place?

I used to be as derisive and arrogant about the law till I learned what Fed law really is. I mean neither harm nor disrespect, just suggesting caution and awareness.

Look. I know IT doesn't have a union. And I wouldn't want one as a programmer and sysadmin based one everything I've ever seen about a union. But this is the time to speak out through actions.

Any IT professional of any competence, and with any amount of self respect needs to refuse to do business with ANYONE who services the city of SF--directly or indirectly. I will be, and will indicate as much explicitly to anyone acting for or on behalf of the city--directly or indirectly that until a full pardon and compensation is paid to Childs, and the relevant individuals are removed from office for corruption, I will not provide any professional services.

If the relevant DA or mayor retires or resigns without reprimand and appropriate court sanctions, I will *never* provide such services.

Yes, I know many people say Childs acted unprofessionally--that's not the point. By refusing to provide the passwords, it would have been arguably justifiable to fire him. He was arrested for refusing to provide passwords after he was already fired--not his problem any more. Had they arrested him before firing him there *might* have been an argument.

I refuse to work for any organization that supports this. And I hope that the members of/. refuse to as well, unless or until the city releases far more compelling evidence of destructive intent than has come to light thus far.

Of course, it's easier for me to say as I'm two states east...but I've a client or two out there.

San Francisco's mayor is one of the most prominent douchebags of recent history. There's no way he would resign unless it meant that he could become governor, senator, or president of the USA by next election. He's an animated golemn, crafted of every negative stereotype of San Francisco there is. When he had every reason to defend Child's actions, he testified against him - condemning what he knew to be an innocent man. What would an egomaniac like that have to gain from stepping down or retracting his testimony against the man when he's busy patting himself on the back for helping put away a dangerous terrorist such as Terry Childs?

If this was 200 years ago, I'd challenge the man to a duel. "You took 5 years of an innocent man's life away because you could. Just how many innocent men have you knowingly put away for 5 years? 10 years? 20 years? How many innocent lifetimes has your sick ego cost the world? I'm sure the devil will give you a full report when you reach Hell."

But now, in 2010, I could probably get charges filed against me just for suggesting something like that! It's those damned everchanging laws of propriety...

Are we getting too hung up on the password issue? Was his refusal to divulge the passwords what he's being found guilty of?

Or is it the fact that if he stepped in front of a bus, the city had no hope of being able to manage the network? My place of employment has "the password list" and it's known to more than one person. If the city allowed Childs to hold all the keys, they're pretty stupid. If they had a policy prohibiting that, I could understand why violating it could get you jail time.

I wonder how the guys who took over Terry's job feel now. I'd be looking for alternative employment at this point -> like maybe a ditch digger or something that just might not get you pooched by the judicial system.

he deserved to be fired, not go to jail. His refusal to hand-over passwords was certainly grounds for firing but it's not clear he broke the law. To a certain extent he is a victim of his own arrogance but also of the ignorance of everyone surrounding him. Maybe he was right? Maybe they all are idiots and he was better off not trusting them? In any case his obligation ended when he was fired.

I'm posting anonymously, but I remember some of the folks were really spooked that he'd deleted images off devices and wiped configs so that if they were rebooted, they would no longer pass ANY traffic. The city called us to see if there was a way to recover passwords without rebooting the boxes. A tampering conviction fits.

Now that I am able to speak about this case, I can give you my take on the matter as having been a juror on it. Having not been able to read about the case during its duration, I can't replay to everything that's been said about it, but I will at least provide my perspective.

This case should have never come to be. Management in the city's IT organization was terrible. There were no adopted security policies or procedures in place. This was a situation that management allowed to develop until it came to this unfortunate point. They did everything wrong that they possibly could have to create this situation. However, the city was not on trial, but Terry Childs was. And when we went into that jury room, we had very explicit instructions on what laws we were to apply and what definitions we were to follow in applying those laws.

This jury was not made up of incompetent people or idiots. Every single person on there was very educated and well-spoken. I myself am a network engineer with a CCIE and thirteen years experience in the field.

This was not a verdict that we came to lightly. There were very difficult points to overcome in reaching it. We were not allowed to let our emotions or biases determine the matter, because if they could there may have been a different outcome. Quite simply, we followed the law. I personally, and many of the other juror, felt terrible coming to this verdict. Terry Childs turned his life around and educated himself in the networking field on very complex technologies. One different decision by him, or more effective management by the city could have completely avoided this entire scenario. But those are not factors we could consider as a jury. We applied the law as it was provided to us and our verdict was the unfortunate, but inevitable result.

I'm sure many people posting are of the mindset that he's not guilty because he shouldn't reveal the passwords, some policy says this or that, or whatever. You're entitled to your opinion, but let me tell you that I sat through FIVE MONTHS of testimony, saw over 300 exhibits, and personally wrote over 200 pages of notes. I will guarantee you that no matter what you think of the matter, you do not have the full story, or even 10% of it. I am confident that we reached the correct verdict, whether I like it or not.

This is the worst part of our current system, is that juries are not informed of all the duties that are necessary for them to perform. In this case you were led to believe that your only duty was to judge the facts, and apply those facts to the law.

However every member of society has every right, while on any jury, to judge not only the facts of the case, but the law and how they are being applied. This is the ONLY real safeguard to a free people, and the real power of the Jury.

My biggest sadness is that you felt compelled to convict the man, because the fact and the law told you to. Just so you know, you've admitted that you've proven the state has enslaved us all to laws we can't possibly obey.

The jury instructions specifically stated that whether or not we agree with the law in question cannot be a factor in determining if the law was actually broken. Regardless, I found nothing objectionable about the law itself and I don't believe any of the other jurors did either. There are plenty of protections within the law in question which protect people which may be acting under a misunderstanding of the facts or acting within the scope of their employment, all of which we weighed in making our decision.

Jury nullification consists precisely in ignoring
that particular instruction: that you should only apply
the law and not judge the law itself. Duh.
This notwithstanding, if you say you agreed with the law,
and thought it had broken it, well, then, obviously you
did the right (moral) thing and have a lot more info on
the case than random slashdotters. Well done.

The idea of jury nullification is great when it's used on a law you don't agree with, not so much when it goes the other way. The reason that lynchers and other civil right abusers could get away with what they did in the 20's and 30's was because of jury nullification. The phrase "no jury will convict me" was speaking about jury nullification. As they could control who got on the juries and that those people had similar morals that did not agree with the law, they did not have to follow the law. Once society loses the rule of law, there's no reason to follow the law for anything. While I don't agree with a lot of laws and would even hazard that some laws are probably even objectively bad, it would be better to change the laws that rely upon jury nullification.

This was not a verdict that we came to lightly. There were very difficult points to overcome in reaching it. We were not allowed to let our emotions or biases determine the matter, because if they could there may have been a different outcome. Quite simply, we followed the law.

This is like that psych experiment where a test subject is given a buzzer and a set of questions. A lab assistant plays the role of another test subject behind a screen. The buzzer is supposed to deliver a shock for every wrong question. It doesn't, of course, but the lab assistant acts like it does. With each wrong question he screams louder, wimpers, begs to stop the experiment. The official-looking SCIENTIST in his WHITE LAB COAT reassures the skeptical test subject that the experiment should continue. Some subjects will walk about but others will keep administering shocks for unanswered questions even after the man behind the screen is no longer making any noises. Unconscious? Dead? Doesn't matter. The man in the white coat told me what to do. He has AUTHORITY.

If the case never should have come to trial, find him not guilty. The charges are obviously bullshit. Where is it written that conscience and compassion have no place in our courts? Ok, mandatory sentencing says we have to leave our brains at the door but fuck that.

This case should have never come to be. Management in the city's IT organization was terrible. There were no adopted security policies or procedures in place. This was a situation that management allowed to develop until it came to this unfortunate point. They did everything wrong that they possibly could have to create this situation. However, the city was not on trial, but Terry Childs was. And when we went into that jury room, we had very explicit instructions on what laws we were to apply and what definitions we were to follow in applying those laws.

Another poster already mentioned Jury Nullification; how can you, as a human being, convict another human being after saying you believe all of that?

And of course, the city can't be put on trial for it's portion in this, can it? Nobody from the city is going to go to jail (and the city itself won't be legally "incarcerated") no matter how wrong it was. But because of your strict interpretation of the law, and some "common sense" interpretation about who an authorized user was (even though it wasn't legally specified), he has to go to jail and have his life ruined.

This was one of the most difficult questions for us to answer. Specifically, who is an "authorized user", and who determines who those people are? I won't go through the mounds of evidence we went through to get beyond any reasonable doubt on this issue, but we did ultimately determine that the person requesting the access (his boss' boss) was an authorized user and should have access upon requesting it.

One really important thing to note here is that it wasn't a concern that he did not provide "his" passwords. The real problem is that he did not provide access -- in any form, even in the form of creating new accounts for those requesting it.

It was more difficult because there is no legal definition of "authorized user", and in that case we are left to use a common sense definition of the term. That may be easy to do, but the harder part is determining who those people are, because in different companies and organizations, policies in place many time determine who they are. So now we have another problem here in that there was no formal policy or procedure in place to determine who is an "authorized user", so we had to use the evidence available to us to determine who Terry Childs would reasonably believe an authorized user would be.

To do that, we had to look through a lot of testimony, in addition to pieces of evidence which showed who he had previously determined to be "authorized users". In the end it was our determination that he knew the person requesting access was authorized to have it. Like I said, this was really the hardest question for us to answer, but after examining job descriptions, job vacancy bulletins, performance appraisals, numerous emails, etc., we were able to reach the conclusion we did.

Terry Childs already had this knowledge (as evidenced in the emails). We had to spend the time to sift through all the information to make sure we were beyond a reasonable doubt about this conclusion.

I thank you for your service and for posting slashdot. But I do have a question, and not having all the facts, I ask for your tolerance. One thing here gets repeated over and over, and I'm not sure it's true. Was Childs fired BEFORE he was asked to give up passwords? Doesn't this mean anything? Also, Child's is convicted, can you explain the law he broke and how he broke it (specifically what choice of action he made was illegal and a felony? One more thing... if Child's had better representation, do you think the outcome might have been any different? From what I know, and it isn't much, I can't understand why the case wasn't dismissed... wrong laws applied to a non-crime. But I must defer to your personal experience. And thanks again... sounds like shit work, and most would have done anything to get out of it. Your sense of civic duty is appreciated.

Thanks for your comments, I hope I can address them all. First, he was not fired before asked for access to the FiberWAN. And there's a big distinction there -- not only was he asked for passwords, he was asked for "access". I can understand not giving up your personal username and password, but also not allowing anyone else there own access is entirely different. However, he did go into this meeting knowing that he was being "reassigned", so I'm of the frame of mind that he actually thought he was being fired. After a long period of different claims -- including that he didn't remember them, that he himself had been locked out of the system for three months (even though he was working on it that morning), providing incorrect passwords -- he was placed on administrative leave. He was even scheduled to have a meeting the next week with the CTO of the city to discuss the matter. However, he made one of the biggest mistakes then that he could have. While under police surveillance, he decided then to leave the state and make cash withdrawals of over $10,000. He was arrested, and that's where it became a criminal matter instead of simply an employment matter.

His representation was very good and did a great job in presenting his defense. However, the prosecution was also very good and presented some pretty damning evidence. The law that he broke was a section CA Penal Code 502, specifically that he disrupted or denied computer service to an authorized user and he did so without permission. We had legal definitions provided for many terms, including "computer service" and from this we were able to determine that the ability to manage or configure the routers and switches of the FiberWAN is a "computer service". So, in a nutshell, he broke the law by denying to the COO and others within the IT group the ability to manage those routers when ordered to do so.

I too really wish the case had been dismissed, but I think the city let this story get too large and didn't want to lose face by dropping all the charges. However, as a juror I cannot allow myself to make decisions based on why I think the city did what it did or whether I think that was right or wrong. I really had to take all the facts before me and apply them to the law, and I would hope that if I were ever in court that twelve other people would do the same for me.

The law that he broke was a section CA Penal Code 502, specifically that he disrupted or denied computer service to an authorized user and he did so without permission.

Refusing to provide a password is absolutely not a denial of service. That's like claiming losing keys to a rack in a data center is a denial of service.

However, he made one of the biggest mistakes then that he could have. While under police surveillance, he decided then to leave the state and make cash withdrawals of over $10,000. He was arrested, and that's where it became a criminal matter instead of simply an employment matter.

How this is a criminal act? Was he under court order to stay within the state of California and not touch his money?
This whole case was never a criminal matter.

It's not merely the act of not providing a password that was a denial service. It was the over-arching issue of refusing to provide access at all. Furthermore, there was no way to gain access without significant disruption to the network. He was told he was being reassigned. Therefore somebody else had to take over those administrative duties, but nobody could as he would not provide them. He denied the COO and the entire IT group the ability to administer their own devices.

As to leaving the state, that is not itself a criminal act. Actually, these are facts I learned from the inspector after we reached our verdict. During the trial itself we did not learn the exact reason he was arrested when he was, because that information was not provided to us. From what I understand, he was already suspected of violating the penal code that he was tried on, and when he made those moves (large cash withdrawals, leaving the state), the police were worried he was planning on possibly sabotaging the network or possibly leaving, and that's when they decided to go forward with the arrest and charges.

For me, true justice (not legal justice) would have been served if they would have simply left this matter as an employment issue and never brought it into the criminal arena at all. However, that only happened when Terry Childs, under surveillance after being placed on leave, decided to leave the state and make over $10,000 in cash withdrawals. He really shot himself in the foot on that one.

When he was brought into that meeting, he was being reassigned because he could not work on the FiberWAN any more. He had spent months making engineering decisions that made it impossible for anyone else to gain access to those routers without having correct passwords. He became very possessive, and paranoid, about this network he created, and when it came time for him to release it to others he refused to do so. There were so many choices he could have made that could have diffused the situation, but he didn't do that.

I think the police were ready to allow it to develop as solely an employment matter, while at the same time feeling that he could really be charged at any time. I think once he made those moves he tipped the police over their comfort line.

We felt terrible because Terry Childs had really turned around a lot in his life and our decision would negate a lot of that. I didn't violate my conscience to satisfy the letter of the law. I believe in the law that we applied. Trust me, this wasn't a matter of somebody simply refusing to give up their individual userid and password. There were TONS of other issues that played into the matter, over a period of years. He locked down the network to a point that ensured he would be required for its management, even to the point that some attempts to gain access by other people would have brought the network down.

I'm glad you brought this up, because going through this trial I learned a lot about how -not- to lock down a network if you don't want to end up in this same scenario.

First, all of the edge devices of the FiberWAN were configured with "no service password-recovery". This is a relatively newer IOS command (I believe) that, in a way, disables the ability to do a standard password recovery. Actually, you can still follow the password recovery procedure, except now during the recovery procedure the router will now prompt you that password recovery is disabled, and if you wish to proceed the existing configuration will be erased. So, you can still gain access to an edge router of the FiberWAN, but it will now have no configuration in it, essentially making it useless.

The next problem was the core routers, which were 6500 series. The IOS running on these did not have the "no service password-recovery" feature, so what he did here was to erase the NVRAM and only keep the running configuration. Any attemt to do a password recovery would require a reboot, and the configuration would be gone. The core routers were not configured to load a new configuration from a remote server, but instead Terry Childs had modems connected to terminal servers so that in the event of any power outage he would be able to dial in and load the configurations back in.

As to these configuration backups, Mr. Childs kept these on a DVD he kept with him at all times. Furthermore, this DVD was encrypted and could only be decrypted using his laptop (as the encryption program required not only a password, but access to a specific file that existed on the laptop).

As for system logs, the city had no access to see what these might have said, as the routers were set up to log only to a server that Terry Childs controlled. He was the only one with passwords to that server. And not only that, he had placed that server inside a black metal cabinet with holes drilled in the side to allow cable runs, and the cabinet had two padlocks on it. Slight paranoia?

A few days before access was finally provided, Cisco discovered actually a very ingenious way to be able to get the edge configurations. (Either they did or did with help of those in the technical blogosphere). The edge devices were (if I remember correctly) 3650 series which allowed stacking. Apparently, if you are in enable mode on a new switch and then stack it to one of the FiberWAN edge devices, the configuration would sync over to the new device so essentially you have a copy of the old switch but have the ability to change the password. This was the path they were going to take with the edge when Mr. Childs provided access and it was no longer necessary. Also though, this procedure would not have helped for the more critical core devices.

We specifically spent hours on the question of intent and making sure we were beyond a reasonable doubt. As to the removal of the other juror, there's way more to that story than any paper knows, and I don't want to go much into it, but he was definitely dismissed "for cause", not because he was some type of lone holdout or something like that.

The law we used was CA Penal Code 502. We did not make up any laws or definitions in reaching our decision. Just take a look at the number of posts and opinions here which fall in both directions. Do you think they have more facts about the case available to them, who may have read some articles and blogs about it? Or do you think I may have more information upon which to base my opinion, after listening to five months of testimony, reading hundreds of emails, many sent by Mr. Childs himself, showing his state of mind and intent? There's way more to the story here than simply a good tech guy all of a sudden being requested to turn over some passwords.

No, it was:1. Terry Childs was informed he was being reassigned.2. He was asked to provide access to the network which he would no longer be working on and to which he was the only one with access.3. He refused to provide that access.4. He was told he could possibly be in violation of the law by refusing to provide access.5. He refused to provide that access.6. He was placed on paid administrative leave.7. He was arrested.

That's the order, but it's definitely hugely summarized. There were lots of other events that led up to this and were intermingled.

Yes. Security rightly assumes that the weakest link of any computer/information protection is the humans. He followed their policy about how to deal with people trying to get access, no matter where or how powerful those people were.

Remember, the police and the government here in America are utterly corrupt, and fighting against that is futile

You know, staying stuff like this is an insult to people who live in / come from places where the government and police *are* truly corrupt. I once worked with a guy from Brazil who was happy when he went through a police roadcheck because it reminded him he wasn't in Brazil. In Brazil he would have had to have paid a bribe to the police, been detained hours, or risked being pulled from his car and beaten. Here it was a few questions and 'have a nice night, sir' - And he was an olive-skinned guy driving a new Nissan. In the USA if the police knock on your door and ask to come in you can tell them to go away - And they have to. In many parts of the world they'll kick your door in without asking, trash your house, and rape your daughter for good measure.

This is a post written by someone who has clearly never actually been to a country with corrupt police, and having been to a few my self I was quite happy to get back to Western Europe/N.A. where people don't realize just how lucky they are that bribery is something we talk about on TV not the only way to accomplish anything.

He was given the option to hand over the passwords and walk away or face jail time. He could have handed everything over (even though it violated a contract) and it would all be forgotten. Through some misguided sense of morals or utter stupidity he chose to let it go to trial.

Don't kid yourselves for one second, juries are stacked with wishy washy room temp IQ dullards who are easily swayed on emotional opinions. Do you think this jury had any clue what a password file or network topology was? He was portr

Funny you should say that. The last jury I sat on, the woman sitting across from me was a programmer. Her exact words to the judge, when he asked her employment were, "I twiddle bits". He blinked, and she got a lot more formal afterward.

By the way, she was also the first to vote to convict when we got back to the jury room. Binary logic was not working in the defendant's favor with her.

I was a juror on this case (see post way far below). I am a network engineer with thirteen years experience and a CCIE certification. All of my fellow jurors were highly educated individuals. Although none of them were fellow network engineers, they were a far cry from "wishy washy room temp IQ dullards".

We were not swayed at all by emotional opinion, because if we were we probably would have acquitted because we all agreed that the situation Terry Childs was put in was not called for. However, the facts in the case bore out the verdict we reached.

As an American, I am profoundly depressed by this thread. I respect the juror who is posting his perspective here, and greatly appreciate the fact he's taking the time to explain what happened from an insider's perspective. But his account reveals a terrible devolution of our system of justice: the ordinary citizens on a jury no longer protect us against an inappropriate or unfair application of the law.

It makes me furious every time I hear a juror come out of the jury room and say "I don't think he really did anything bad, but according to the judge's instructions, I had no choice but to convict." No, you had a choice. The brilliantly cynical and untrusting rebels who wrote the Constitution put you there to make the choice. Not an unfeeling robotic choice, not a judge-directed decision, but an independent decision that truly reflects the informed judgment of a "jury of peers."

The jury has become, not an independent check against the juggernaut of government prosecution, but a mere puppet of the system. In such a legal system, any one of us can be sent to jail for life on the government's whim, because there's not one of us who doesn't -- knowingly or unknowingly -- violate several laws daily; we count on juries to say, when appropriate, "ok, maybe he technically violated the law, but this prosecution is unreasonable, and we're not going along with it."

Our system was designed to make it really, really hard to convict. And really easy to acquit. If the prosecutor doesn't like the case, he can toss it out. If the judge doesn't like the case, he can toss it out. Heck, if the judge doesn't like the jury's "guilty" verdict, he can toss it out (but he can't set aside a "not guilty" verdict). Why has the jury come to believe they can't exercise at least the same power as the prosecutors and the judge routinely do: the power to toss out a case that just ain't right?

Bet you one of the conditions of Childs' "release" is a prohibition on using computers for the next 5 years.

You did what you thought right, and interpreted the judge's jury instructions as carrying the same weight as black-letter law. But they don't, and as others have pointed out the catch-all term "jury nullification" can be the right thing to do when the law is an ass, or when the prosecution has wildly overreached. Hopefully this'll be overturned on appeal, and I really would like Childs' managers and the key prosecutor's names to become as well-known as Childs. There was (and still is) plenty of blame to go around.

As others have pointed out, if the employer did not have a police force and court system handy, this never would have become a criminal matter.

Unfortunately that may be how the conversation actually went, but without the joke. I would like to think that in a situation like that most people would say something like: "I want to help, I really do, but if I may please explain, there is a policy..."

However real people under real stress can behave in less than rational ways. And, sadly, in the real world even a small single negative action can result in an avalanche of unpleasant reactions.

It was very probably being a jerk that got him convicted - people are much more likely to convict the headstrong than the guilty. I don't know if he really was guilty of anything, I've not really examined the evidence, but it's a well-documented psychological flaw of individuals that looks and personalities have a far far greater bearing on who is convicted than the actual evidence itself. There is no fix for this bug that is not worse than the bug itself.

Even if he were guilty, his real "crime" would be being a little too uptight, perhaps being an a-hole a little too often, and maybe being a little obnoxious. Note that these are only true if he actually is guilty of something. I fail to see how a purely punitive system is going to be useful in correcting these issues, which are not uncommon amongst those with Geek Syndrome (aka Asperger's). In the same way drunk drivers are sometimes ordered to attend AA meetings, the most suitable punishment (again IF he is guilty) would be to require him to attend an Asperger's group and/or get checked-out by a pdoc for some sort of treatment regimen. (Asperger's is not, technically, treatable but CAN aggravate other problems that are.) This would be cheaper than prison, by a LONG way, be far more likely to be effective, AND would be more likely to increase his value to society (whereas prison rots skills and therefore decreases value).

There is just no way around it, no matter how big a douche your employer is, or how wrong or unfair you think it is, or how big a mistake they are making... withholding your employers' passwords will land you in jail.

Some may work up some emotion over this, but I don't think this will really be a surprise to many people.

Here's a hint; when you end up in a room with the cops and a lot of your management, fine, ask for your lawyer, but don't plan on using that same management's written policy against them. They are management - they wrote the policy. They're telling you their new policy. Verbally. In no uncertain terms. With the cops present.

You cannot lock your customers out of their equipment. This is not a legal theory our society will ever adopt, nor should it. Imagine if the courts agreed that IT staff has discretion to withhold their customers' own passwords. "They weren't smart enough to have it." "They asked for it the wrong way." "They once had a written policy that I shouldn't tell them."

OK, so no one can ever fire you. When can't you come up with an excuse to lock the equipment and walk off? Imagine if the courts blessed it! You could pull that burn off and coast, untouchable. Yeah, that philosophy really has legs.

You: "Give me the password."Your employee: "No."You: "You're violating my policy - I need the password."Your employee: "I disagree. I have my own interpretation of your policy."You: "You're fired."Your former employee: "Great, now I definitely won't give you the password."You: "Obviously I'm not paying you to refuse to do what I'm asking. But you still have my passwords."Your former employee: "Fine, but since you're not paying me, I'm not your slave. You can't force me to perform."

Hear that sound? It's the eyes of every slave who ever lived rolling back in their heads.

Think about it. Childs could, if he truly was motivated by fear of violating a policy, have called his lawyer into the room, to say: "no problem, we'll give you the passwords, we just need you to release us from liability for disclosing those passwords, one pager, sign here..." He didn't, because this was about ego, not policy. He just didn't want to have to cave and do what they said. He's not the first - many an outsized ego has landed its owner in prison.

Lets try this from the other persepective:Your Employer: Give me the password.You: But you told me I'd be liable for anything that happens if I give it to you.Your Employer: Give me the password!!You: No. I don't want to be liable.Your Employer: You're fired!!!You: Fine.Your Employer: Give me the password!!!!You: I don't work for you anymore. And I still don't want to be liable.Your Employer: Peon!!!! I own you!!!!!! I'll grind you into dust!!!!! Lawyers! Destroy him!!!And they did.

This guy was in the employ of the city government, which necessarily acts differently than a corp, which makes your analogy false. His direct bosses don't make the rules, the elected officials do. The difference is crucial. Furthermore, his following the rules was not to the detriment of the city.

Here's an earlier comment [slashdot.org] that discusses the city policy.

And here's a quote from the password policy of the city, which is in that link:

"Password Policy"As such, all County employees (including contractors, vendors, and temporary staff with access to County systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a monthly basis""Do not share County passwords with anyone, including administrative assistants or secretaries.

All passwords are to be treated as sensitive, confidential County information.

Here is a list of things to avoid-Telling your boss your password.-Talking about a password in front of others.-Telling your co-workers your password while on vacation."

As we can see from the city policy, telling your boss is already out, and talking about your password in front of others (the individuals on the other end of the phone line) is also a no-no. Terry Childs did the right thing by not giving out the passwords to anyone but the Mayor. Did Childs' boss ever get in trouble for breaching city policy? Probably not.